--to-destination of DNAT issue -- or my misinterpretation?
Jan Engelhardt
jengelh at linux01.gwdg.de
Thu Sep 14 16:01:49 CEST 2006
>> > It seems I can't specify several --to-destination (like the man page
>> > tells), and iptables doesn't spit any errors.
>> >
>> > Am I doing something wrong?
>>
>> Only one --to-destination is supported.
>
> This restriction was first introduced in kernel 2.6.11. Previous 2.6 kernels,
> as well as 2.4 kernels, should support multiple ranges.
>
> ChangeLog-2.6.11 :
> " [PATCH] Remove NAT to multiple ranges
> The NAT code has the concept of multiple ranges: you can say "map this
> connection onto IP 192.168.1.2 - 192.168.1.4, 192.168.1.7 ports
> 1024-65535, and 192.168.1.10". I implemented this because we could.
>
> But it's not actually *used* by many (any?) people, and you can
> approximate this by a random match (from patch-o-matic) if you really
> want to. It adds complexity to the code."
>
> changes-iptables-1.3.4.txt :
> " Print error message when multiple "--to" DNAT/SNAT args are used
> with kernel >= 2.6.10"
> ^^
> There seems to be a little mistake here, should be 2.6.11 according to Linux
> changelog.
That iptables(1) manpage got it right:
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to
multiple ranges anymore.
>
>
>
Jan Engelhardt
--
More information about the netfilter
mailing list